CNIL Cracks Down on Employee Video Monitoring and Password Strength


In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued. The CNIL also sanctioned the company because it failed to implement an adequate level of security of the data housed on its systems.

The agents of the CNIL noticed during an on-site inspection that passwords used within the company to log into its systems, and therefore to access personal data stored within those systems, were simple to crack. Indeed, most of them were only 5 characters and some of them were only the surname or name of the employees and had not been changed since 2011.

The CNIL therefore required that the company implement a data security policy. 

After another on-site inspection, the agents of the CNIL noticed that, despite its commitments, the company had not implemented such a policy.

The CNIL concluded that the company did not provide for an adequate level of protection of data given that the passwords were short, simple and not modified.

According to Article 34 of the French Data Protection Act of January 6th, 1978, the data controller shall take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties.

In a previous post, we highlighted the recommendations enacted by the CNIL to help companies to strengthen the security of their data processing.

In light of the vulnerabilities noticed during the on-site inspections and the failure of the company to properly address them, the company was required by the CNIL to pay a €10,000 fine.

Companies located in France must therefore pay particular attention to their data security policies to make sure that they comply with French data protection law requirements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.